diff -Nru ldns-1.6.17/debian/changelog ldns-1.6.17/debian/changelog --- ldns-1.6.17/debian/changelog 2016-06-28 11:14:55.000000000 +0000 +++ ldns-1.6.17/debian/changelog 2016-10-27 14:53:07.000000000 +0000 @@ -1,3 +1,10 @@ +ldns (1.6.17-10) unstable; urgency=medium + + [ A. Schulze ] + * experimental support openssl-1.1.x (Closes: #828377) + + -- Ondřej Surý Thu, 27 Oct 2016 16:53:07 +0200 + ldns (1.6.17-9) unstable; urgency=medium * Add ldns_resolver_clone function needed by libnet-ldns-perl diff -Nru ldns-1.6.17/debian/patches/0010-experimental-support-openssl-1.1.x.patch ldns-1.6.17/debian/patches/0010-experimental-support-openssl-1.1.x.patch --- ldns-1.6.17/debian/patches/0010-experimental-support-openssl-1.1.x.patch 1970-01-01 00:00:00.000000000 +0000 +++ ldns-1.6.17/debian/patches/0010-experimental-support-openssl-1.1.x.patch 2016-10-27 14:53:07.000000000 +0000 @@ -0,0 +1,1148 @@ +From: "A. Schulze" +Date: Thu, 27 Oct 2016 16:52:39 +0200 +Subject: experimental support openssl-1.1.x + +--- + configure | 22 +++--- + dane.c | 6 +- + dnssec.c | 67 +++++++++++++++++ + dnssec_sign.c | 67 +++++++++++++++++ + dnssec_verify.c | 29 ++++++++ + drill/drill.c | 4 ++ + examples/ldns-dane.c | 4 ++ + examples/ldns-signzone.c | 5 ++ + host2str.c | 81 +++++++++++++++++++++ + keys.c | 182 +++++++++++++++++++++++++++++++++++++++++++++++ + 10 files changed, 454 insertions(+), 13 deletions(-) + +diff --git a/configure b/configure +index 8bc7462..6a05115 100755 +--- a/configure ++++ b/configure +@@ -14501,10 +14501,10 @@ $as_echo "found in $ssldir" >&6; } + + fi + +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_CTX_init in -lcrypto" >&5 +-$as_echo_n "checking for HMAC_CTX_init in -lcrypto... " >&6; } +- LIBS="$LIBS -lcrypto" +- LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto" ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_CTX_reset in -lcrypto" >&5 ++$as_echo_n "checking for HMAC_CTX_reset in -lcrypto... " >&6; } ++ LIBS="$LIBS `pkg-config --libs libcrypto`" ++ LIBSSL_LIBS="$LIBSSL_LIBS `pkg-config --libs libcrypto`" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext + /* end confdefs.h. */ + +@@ -14512,8 +14512,8 @@ int + main () + { + +- int HMAC_CTX_init(void); +- (void)HMAC_CTX_init(); ++ int HMAC_CTX_reset(void); ++ (void)HMAC_CTX_reset(); + + ; + return 0; +@@ -14545,8 +14545,8 @@ int + main () + { + +- int HMAC_CTX_init(void); +- (void)HMAC_CTX_init(); ++ int HMAC_CTX_reset(void); ++ (void)HMAC_CTX_reset(); + + ; + return 0; +@@ -14577,8 +14577,8 @@ int + main () + { + +- int HMAC_CTX_init(void); +- (void)HMAC_CTX_init(); ++ int HMAC_CTX_reset(void); ++ (void)HMAC_CTX_reset(); + + ; + return 0; +@@ -14985,7 +14985,7 @@ esac + + + if test "x$HAVE_SSL" = "xyes"; then +-LIBSSL_SSL_LIBS="-lssl $LIBSSL_LIBS" ++LIBSSL_SSL_LIBS="`pkg-config --libs libssl` $LIBSSL_LIBS" + + fi + CPPFLAGS=$tmp_CPPFLAGS +diff --git a/dane.c b/dane.c +index 675dfa8..39da732 100644 +--- a/dane.c ++++ b/dane.c +@@ -312,6 +312,7 @@ ldns_dane_pkix_get_last_self_signed(X509** out_cert, + ldns_status s; + X509_STORE* empty_store = NULL; + X509_STORE_CTX* vrfy_ctx; ++ int err; + + assert(out_cert != NULL); + +@@ -327,8 +328,9 @@ ldns_dane_pkix_get_last_self_signed(X509** out_cert, + + } + (void) X509_verify_cert(vrfy_ctx); +- if (vrfy_ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || +- vrfy_ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){ ++ err = X509_STORE_CTX_get_error(vrfy_ctx); ++ if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || ++ err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){ + + *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx); + s = LDNS_STATUS_OK; +diff --git a/dnssec.c b/dnssec.c +index a41a9f6..c24303f 100644 +--- a/dnssec.c ++++ b/dnssec.c +@@ -376,10 +376,15 @@ ldns_key_buf2dsa_raw(unsigned char* key, size_t len) + return NULL; + } + #ifndef S_SPLINT_S ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + dsa->p = P; + dsa->q = Q; + dsa->g = G; + dsa->pub_key = Y; ++#else ++ DSA_set0_pqg(dsa, P, Q, G); ++ DSA_set0_key(dsa, Y, NULL); ++#endif + #endif /* splint */ + + return dsa; +@@ -444,8 +449,12 @@ ldns_key_buf2rsa_raw(unsigned char* key, size_t len) + return NULL; + } + #ifndef S_SPLINT_S ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + rsa->n = modulus; + rsa->e = exponent; ++#else ++ RSA_set0_key(rsa, modulus, exponent, NULL); ++#endif + #endif /* splint */ + + return rsa; +@@ -1711,6 +1720,10 @@ ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig, + DSA_SIG *dsasig; + unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig); + size_t byte_offset; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ const BIGNUM *dsasig_r; ++ const BIGNUM *dsasig_s; ++#endif + + dsasig = d2i_DSA_SIG(NULL, + (const unsigned char **)&dsasig_data, +@@ -1726,22 +1739,38 @@ ldns_convert_dsa_rrsig_asn12rdf(const ldns_buffer *sig, + return NULL; + } + dsasig_data[0] = 0; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ DSA_SIG_get0(dsasig, &dsasig_r, NULL); ++ byte_offset = (size_t) (20 - BN_num_bytes(dsasig_r)); ++#else + byte_offset = (size_t) (20 - BN_num_bytes(dsasig->r)); ++#endif + if (byte_offset > 20) { + DSA_SIG_free(dsasig); + LDNS_FREE(dsasig_data); + return NULL; + } + memset(&dsasig_data[1], 0, byte_offset); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ DSA_SIG_get0(dsasig, &dsasig_r, &dsasig_s); ++ BN_bn2bin(dsasig_r, &dsasig_data[1 + byte_offset]); ++ byte_offset = (size_t) (20 - BN_num_bytes(dsasig_s)); ++#else + BN_bn2bin(dsasig->r, &dsasig_data[1 + byte_offset]); + byte_offset = (size_t) (20 - BN_num_bytes(dsasig->s)); ++#endif + if (byte_offset > 20) { + DSA_SIG_free(dsasig); + LDNS_FREE(dsasig_data); + return NULL; + } + memset(&dsasig_data[21], 0, byte_offset); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ DSA_SIG_get0(dsasig, NULL, &dsasig_s); ++ BN_bn2bin(dsasig_s, &dsasig_data[21 + byte_offset]); ++#else + BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]); ++#endif + + sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data); + if(!sigdata_rdf) { +@@ -1784,8 +1813,12 @@ ldns_convert_dsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, + return LDNS_STATUS_MEM_ERR; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ DSA_SIG_set0(dsasig, R, S); ++#else + dsasig->r = R; + dsasig->s = S; ++#endif + + raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig); + if (raw_sig_len < 0) { +@@ -1809,22 +1842,40 @@ ldns_rdf * + ldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len) + { + ECDSA_SIG* ecdsa_sig; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ const BIGNUM *ecdsa_sig_r; ++ const BIGNUM *ecdsa_sig_s; ++#endif + unsigned char *data = (unsigned char*)ldns_buffer_begin(sig); + ldns_rdf* rdf; + ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len); + if(!ecdsa_sig) return NULL; + + /* "r | s". */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ ECDSA_SIG_get0(ecdsa_sig, &ecdsa_sig_r, &ecdsa_sig_s); ++ data = LDNS_XMALLOC(unsigned char, ++ BN_num_bytes(ecdsa_sig_r) + BN_num_bytes(ecdsa_sig_s)); ++#else + data = LDNS_XMALLOC(unsigned char, + BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)); ++#endif + if(!data) { + ECDSA_SIG_free(ecdsa_sig); + return NULL; + } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ ECDSA_SIG_get0(ecdsa_sig, &ecdsa_sig_r, &ecdsa_sig_s); ++ BN_bn2bin(ecdsa_sig_r, data); ++ BN_bn2bin(ecdsa_sig_s, data+BN_num_bytes(ecdsa_sig_r)); ++ rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)( ++ BN_num_bytes(ecdsa_sig_r) + BN_num_bytes(ecdsa_sig_s)), data); ++#else + BN_bn2bin(ecdsa_sig->r, data); + BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r)); + rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)( + BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)), data); ++#endif + ECDSA_SIG_free(ecdsa_sig); + return rdf; + } +@@ -1834,6 +1885,10 @@ ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, + const ldns_rdf *sig_rdf) + { + ECDSA_SIG* sig; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BIGNUM *sig_r; ++ BIGNUM *sig_s; ++#endif + int raw_sig_len; + long bnsize = (long)ldns_rdf_size(sig_rdf) / 2; + /* if too short, or not even length, do not bother */ +@@ -1843,6 +1898,17 @@ ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, + /* use the raw data to parse two evenly long BIGNUMs, "r | s". */ + sig = ECDSA_SIG_new(); + if(!sig) return LDNS_STATUS_MEM_ERR; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ sig_r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf), ++ bnsize, NULL); ++ sig_s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize, ++ bnsize, NULL); ++ if(!sig_r || !sig_s) { ++ ECDSA_SIG_free(sig); ++ return LDNS_STATUS_MEM_ERR; ++ } ++ ECDSA_SIG_set0(sig, sig_r, sig_s); ++#else + sig->r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf), + bnsize, sig->r); + sig->s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize, +@@ -1851,6 +1917,7 @@ ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_buffer *target_buffer, + ECDSA_SIG_free(sig); + return LDNS_STATUS_MEM_ERR; + } ++#endif + + raw_sig_len = i2d_ECDSA_SIG(sig, NULL); + if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) { +diff --git a/dnssec_sign.c b/dnssec_sign.c +index 4af882a..f5c7be8 100644 +--- a/dnssec_sign.c ++++ b/dnssec_sign.c +@@ -127,7 +127,13 @@ ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *current_key) + b64rdf = ldns_sign_public_evp( + sign_buf, + ldns_key_evp_key(current_key), ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_dss1()); ++#else ++ EVP_sha1()); ++ /* man 3 EVP_dss1, last sentence ++ and https://lists.debian.org/debian-devel/2016/06/msg00505.html */ ++#endif + break; + case LDNS_SIGN_RSASHA1: + case LDNS_SIGN_RSASHA1_NSEC3: +@@ -316,6 +322,10 @@ ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key) + uint8_t *data; + size_t pad; + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ const BIGNUM *sig_r; ++ const BIGNUM *sig_s; ++#endif + b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); + if (!b64sig) { + return NULL; +@@ -342,17 +352,35 @@ ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key) + } + + data[0] = 1; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ DSA_SIG_get0(sig, &sig_r, NULL); ++ pad = 20 - (size_t) BN_num_bytes(sig_r); ++#else + pad = 20 - (size_t) BN_num_bytes(sig->r); ++#endif + if (pad > 0) { + memset(data + 1, 0, pad); + } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BN_bn2bin(sig_r, (unsigned char *) (data + 1) + pad); ++#else + BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad); ++#endif + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ DSA_SIG_get0(sig, NULL, &sig_s); ++ pad = 20 - (size_t) BN_num_bytes(sig_s); ++#else + pad = 20 - (size_t) BN_num_bytes(sig->s); ++#endif + if (pad > 0) { + memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad); + } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BN_bn2bin(sig_s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad)); ++#else + BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad)); ++#endif + + sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, + 1 + 2 * SHA_DIGEST_LENGTH, +@@ -372,7 +400,11 @@ ldns_pkey_is_ecdsa(EVP_PKEY* pkey) + { + EC_KEY* ec; + const EC_GROUP* g; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if(EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) ++#else + if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) ++#endif + return 0; + ec = EVP_PKEY_get1_EC_KEY(pkey); + g = EC_KEY_get0_group(ec); +@@ -401,7 +433,11 @@ ldns_sign_public_evp(ldns_buffer *to_sign, + unsigned int siglen; + ldns_rdf *sigdata_rdf; + ldns_buffer *b64sig; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_MD_CTX *ctx; ++#else + EVP_MD_CTX ctx; ++#endif + const EVP_MD *md_type; + int r; + +@@ -419,19 +455,37 @@ ldns_sign_public_evp(ldns_buffer *to_sign, + return NULL; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ /* see https://www.openssl.org/news/cl110.txt */ ++ ctx = EVP_MD_CTX_new(); ++ if (!ctx) { ++ return NULL; ++ } ++ r = EVP_SignInit(ctx, md_type); ++ if(r == 1) { ++ r = EVP_SignUpdate(ctx, (unsigned char*) ++ ldns_buffer_begin(to_sign), ++ ldns_buffer_position(to_sign)); ++#else + EVP_MD_CTX_init(&ctx); + r = EVP_SignInit(&ctx, md_type); + if(r == 1) { + r = EVP_SignUpdate(&ctx, (unsigned char*) + ldns_buffer_begin(to_sign), + ldns_buffer_position(to_sign)); ++#endif + } else { + ldns_buffer_free(b64sig); + return NULL; + } + if(r == 1) { ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ r = EVP_SignFinal(ctx, (unsigned char*) ++ ldns_buffer_begin(b64sig), &siglen, key); ++#else + r = EVP_SignFinal(&ctx, (unsigned char*) + ldns_buffer_begin(b64sig), &siglen, key); ++#endif + } else { + ldns_buffer_free(b64sig); + return NULL; +@@ -443,10 +497,18 @@ ldns_sign_public_evp(ldns_buffer *to_sign, + + /* unfortunately, OpenSSL output is differenct from DNS DSA format */ + #ifndef S_SPLINT_S ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (EVP_PKEY_type(EVP_PKEY_id(key)) == EVP_PKEY_DSA) { ++#else + if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) { ++#endif + sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen); + #ifdef USE_ECDSA ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ } else if(EVP_PKEY_type(EVP_PKEY_id(key)) == EVP_PKEY_EC && ++#else + } else if(EVP_PKEY_type(key->type) == EVP_PKEY_EC && ++#endif + ldns_pkey_is_ecdsa(key)) { + sigdata_rdf = ldns_convert_ecdsa_rrsig_asn12rdf(b64sig, siglen); + #endif +@@ -457,7 +519,12 @@ ldns_sign_public_evp(ldns_buffer *to_sign, + } + #endif /* splint */ + ldns_buffer_free(b64sig); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_MD_CTX_free(ctx); ++ /* see https://www.openssl.org/news/cl110.txt */ ++#else + EVP_MD_CTX_cleanup(&ctx); ++#endif + return sigdata_rdf; + } + +diff --git a/dnssec_verify.c b/dnssec_verify.c +index 1af6635..93e100b 100644 +--- a/dnssec_verify.c ++++ b/dnssec_verify.c +@@ -2485,9 +2485,31 @@ ldns_status + ldns_verify_rrsig_evp_raw(unsigned char *sig, size_t siglen, + ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type) + { ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ EVP_MD_CTX *ctx; ++#else + EVP_MD_CTX ctx; ++#endif + int res; + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ /* see https://www.openssl.org/news/cl110.txt */ ++ ctx = EVP_MD_CTX_new(); ++ if (!ctx) { ++ /* TODO how to communicate internal SSL error? ++ let caller use ssl's get_error() */ ++ return LDNS_STATUS_SSL_ERR; ++ } ++ EVP_VerifyInit(ctx, digest_type); ++ EVP_VerifyUpdate(ctx, ++ ldns_buffer_begin(rrset), ++ ldns_buffer_position(rrset)); ++ ++ res = EVP_VerifyFinal(ctx, sig, (unsigned int) siglen, key); ++ ++ /* see https://www.openssl.org/news/cl110.txt */ ++ EVP_MD_CTX_free(ctx); ++#else + EVP_MD_CTX_init(&ctx); + + EVP_VerifyInit(&ctx, digest_type); +@@ -2497,6 +2519,7 @@ ldns_verify_rrsig_evp_raw(unsigned char *sig, size_t siglen, + res = EVP_VerifyFinal(&ctx, sig, (unsigned int) siglen, key); + + EVP_MD_CTX_cleanup(&ctx); ++#endif + + if (res == 1) { + return LDNS_STATUS_OK; +@@ -2554,7 +2577,13 @@ ldns_verify_rrsig_dsa_raw(unsigned char* sig, size_t siglen, + siglen, + rrset, + evp_key, ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_dss1()); ++#else ++ /* man 3 EVP_dss1, last sentence ++ and https://lists.debian.org/debian-devel/2016/06/msg00505.html */ ++ EVP_sha1()); ++#endif + } else { + result = LDNS_STATUS_SSL_ERR; + } +diff --git a/drill/drill.c b/drill/drill.c +index b967ad9..cd2e30e 100644 +--- a/drill/drill.c ++++ b/drill/drill.c +@@ -974,7 +974,11 @@ main(int argc, char *argv[]) + xfree(tsig_algorithm); + + #ifdef HAVE_SSL ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ ERR_remove_thread_state(NULL); ++#else + ERR_remove_state(0); ++#endif + CRYPTO_cleanup_all_ex_data(); + ERR_free_strings(); + EVP_cleanup(); +diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c +index 93c18e5..e9d19cb 100644 +--- a/examples/ldns-dane.c ++++ b/examples/ldns-dane.c +@@ -1637,8 +1637,12 @@ main(int argc, char* const* argv) + ssl_err("could not SSL_get_certificate"); + } + #ifndef S_SPLINT_S ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ extra_certs = X509_STORE_CTX_get1_chain(ctx); ++#else + extra_certs = ctx->extra_certs; + #endif ++#endif + + switch (mode) { + case CREATE: dane_create(tlsas, tlsa_owner, certificate_usage, +diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c +index ffdd3c0..c3945bf 100644 +--- a/examples/ldns-signzone.c ++++ b/examples/ldns-signzone.c +@@ -376,7 +376,12 @@ main(int argc, char *argv[]) + + keys = ldns_key_list_new(); + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); ++ /* TODO: is OPENSSL_INIT_ENGINE_ALL_BUILTIN a good selection? */ ++#else + OPENSSL_config(NULL); ++#endif + + while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAE:K:")) != -1) { + switch (c) { +diff --git a/host2str.c b/host2str.c +index e2c936b..cecf86b 100644 +--- a/host2str.c ++++ b/host2str.c +@@ -2011,7 +2011,22 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + * print to buf */ + ldns_buffer_printf(output, "Modulus: "); + #ifndef S_SPLINT_S ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ const BIGNUM *rsa_n; ++ const BIGNUM *rsa_e; ++ const BIGNUM *rsa_d; ++ const BIGNUM *rsa_p; ++ const BIGNUM *rsa_q; ++ const BIGNUM *rsa_dmp1; ++ const BIGNUM *rsa_dmq1; ++ const BIGNUM *rsa_iqmp; ++ RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d); ++ RSA_get0_factors(rsa, &rsa_p, &rsa_q); ++ RSA_get0_crt_params(rsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp); ++ i = (uint16_t)BN_bn2bin(rsa_n, bignum); ++#else + i = (uint16_t)BN_bn2bin(rsa->n, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2023,7 +2038,11 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + ldns_rdf_deep_free(b64_bignum); + ldns_buffer_printf(output, "\n"); + ldns_buffer_printf(output, "PublicExponent: "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ i = (uint16_t)BN_bn2bin(rsa_e, bignum); ++#else + i = (uint16_t)BN_bn2bin(rsa->e, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2036,8 +2055,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + ldns_buffer_printf(output, "\n"); + + ldns_buffer_printf(output, "PrivateExponent: "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (rsa_d) { ++ i = (uint16_t)BN_bn2bin(rsa_d, bignum); ++#else + if (rsa->d) { + i = (uint16_t)BN_bn2bin(rsa->d, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2053,8 +2077,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + } + + ldns_buffer_printf(output, "Prime1: "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (rsa_p) { ++ i = (uint16_t)BN_bn2bin(rsa_p, bignum); ++#else + if (rsa->p) { + i = (uint16_t)BN_bn2bin(rsa->p, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2070,8 +2099,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + } + + ldns_buffer_printf(output, "Prime2: "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (rsa_q) { ++ i = (uint16_t)BN_bn2bin(rsa_q, bignum); ++#else + if (rsa->q) { + i = (uint16_t)BN_bn2bin(rsa->q, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2087,8 +2121,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + } + + ldns_buffer_printf(output, "Exponent1: "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (rsa_dmp1) { ++ i = (uint16_t)BN_bn2bin(rsa_dmp1, bignum); ++#else + if (rsa->dmp1) { + i = (uint16_t)BN_bn2bin(rsa->dmp1, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2104,8 +2143,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + } + + ldns_buffer_printf(output, "Exponent2: "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (rsa_dmq1) { ++ i = (uint16_t)BN_bn2bin(rsa_dmq1, bignum); ++#else + if (rsa->dmq1) { + i = (uint16_t)BN_bn2bin(rsa->dmq1, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2121,8 +2165,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + } + + ldns_buffer_printf(output, "Coefficient: "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (rsa_iqmp) { ++ i = (uint16_t)BN_bn2bin(rsa_iqmp, bignum); ++#else + if (rsa->iqmp) { + i = (uint16_t)BN_bn2bin(rsa->iqmp, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2155,8 +2204,20 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + * print to buf */ + ldns_buffer_printf(output, "Prime(p): "); + #ifndef S_SPLINT_S ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ const BIGNUM *dsa_p; ++ const BIGNUM *dsa_q; ++ const BIGNUM *dsa_g; ++ const BIGNUM *dsa_pub_key; ++ const BIGNUM *dsa_priv_key; ++ DSA_get0_pqg(dsa, &dsa_p, &dsa_q, &dsa_g); ++ DSA_get0_key(dsa, &dsa_pub_key, &dsa_priv_key); ++ if (dsa_p) { ++ i = (uint16_t)BN_bn2bin(dsa_p, bignum); ++#else + if (dsa->p) { + i = (uint16_t)BN_bn2bin(dsa->p, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2172,8 +2233,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + } + + ldns_buffer_printf(output, "Subprime(q): "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (dsa_q) { ++ i = (uint16_t)BN_bn2bin(dsa_q, bignum); ++#else + if (dsa->q) { + i = (uint16_t)BN_bn2bin(dsa->q, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2189,8 +2255,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + } + + ldns_buffer_printf(output, "Base(g): "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (dsa_g) { ++ i = (uint16_t)BN_bn2bin(dsa_g, bignum); ++#else + if (dsa->g) { + i = (uint16_t)BN_bn2bin(dsa->g, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2206,8 +2277,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + } + + ldns_buffer_printf(output, "Private_value(x): "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (dsa_priv_key) { ++ i = (uint16_t)BN_bn2bin(dsa_priv_key, bignum); ++#else + if (dsa->priv_key) { + i = (uint16_t)BN_bn2bin(dsa->priv_key, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +@@ -2223,8 +2299,13 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) + } + + ldns_buffer_printf(output, "Public_value(y): "); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (dsa_pub_key) { ++ i = (uint16_t)BN_bn2bin(dsa_pub_key, bignum); ++#else + if (dsa->pub_key) { + i = (uint16_t)BN_bn2bin(dsa->pub_key, bignum); ++#endif + if (i > LDNS_MAX_KEYLEN) { + goto error; + } +diff --git a/keys.c b/keys.c +index 46f6a3d..ad66225 100644 +--- a/keys.c ++++ b/keys.c +@@ -556,6 +556,16 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) + RSA *rsa; + uint8_t *buf; + int i; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BIGNUM *rsa_n = NULL; ++ BIGNUM *rsa_e = NULL; ++ BIGNUM *rsa_d = NULL; ++ BIGNUM *rsa_p = NULL; ++ BIGNUM *rsa_q = NULL; ++ BIGNUM *rsa_dmp1 = NULL; ++ BIGNUM *rsa_dmq1 = NULL; ++ BIGNUM *rsa_iqmp = NULL; ++#endif + + d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); + buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); +@@ -574,8 +584,13 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); + #ifndef S_SPLINT_S ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ rsa_n = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!rsa_n) { ++#else + rsa->n = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa->n) { ++#endif + goto error; + } + +@@ -584,8 +599,13 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ rsa_e = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!rsa_e) { ++#else + rsa->e = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa->e) { ++#endif + goto error; + } + +@@ -594,18 +614,33 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ rsa_d = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!rsa_d) { ++#else + rsa->d = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa->d) { ++#endif ++ goto error; ++ } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (!RSA_set0_key(rsa, rsa_n, rsa_e, rsa_d)) { + goto error; + } ++#endif + + /* Prime1, rsa->p */ + if (ldns_fget_keyword_data_l(f, "Prime1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ rsa_p = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!rsa_p) { ++#else + rsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa->p) { ++#endif + goto error; + } + +@@ -614,18 +649,33 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ rsa_q = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!rsa_q) { ++#else + rsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa->q) { ++#endif ++ goto error; ++ } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (!RSA_set0_factors(rsa, rsa_p, rsa_q)) { + goto error; + } ++#endif + + /* Exponent1, rsa->dmp1 */ + if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ rsa_dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!rsa_dmp1) { ++#else + rsa->dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa->dmp1) { ++#endif + goto error; + } + +@@ -634,8 +684,13 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ rsa_dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!rsa_dmq1) { ++#else + rsa->dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa->dmq1) { ++#endif + goto error; + } + +@@ -644,10 +699,20 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ rsa_iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!rsa_iqmp) { ++#else + rsa->iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa->iqmp) { ++#endif ++ goto error; ++ } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (!(RSA_set0_crt_params(rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp))) { + goto error; + } ++#endif + #endif /* splint */ + + LDNS_FREE(buf); +@@ -655,6 +720,16 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) + return rsa; + + error: ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BN_free(rsa_n); ++ BN_free(rsa_e); ++ BN_free(rsa_d); ++ BN_free(rsa_p); ++ BN_free(rsa_q); ++ BN_free(rsa_dmp1); ++ BN_free(rsa_dmq1); ++ BN_free(rsa_iqmp); ++#endif + RSA_free(rsa); + LDNS_FREE(d); + LDNS_FREE(buf); +@@ -675,6 +750,14 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) + DSA *dsa; + uint8_t *buf; + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BIGNUM *dsa_p = NULL; ++ BIGNUM *dsa_q = NULL; ++ BIGNUM *dsa_g = NULL; ++ BIGNUM *dsa_priv_key = NULL; ++ BIGNUM *dsa_pub_key = NULL; ++#endif ++ + d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); + buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); + dsa = DSA_new(); +@@ -690,8 +773,13 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); + #ifndef S_SPLINT_S ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ dsa_p = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!dsa_p) { ++#else + dsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa->p) { ++#endif + goto error; + } + +@@ -700,8 +788,13 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ dsa_q = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!dsa_q) { ++#else + dsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa->q) { ++#endif + goto error; + } + +@@ -710,18 +803,33 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ dsa_g = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!dsa_g) { ++#else + dsa->g = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa->g) { ++#endif ++ goto error; ++ } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (!(DSA_set0_pqg(dsa, dsa_p, dsa_q, dsa_g))) { + goto error; + } ++#endif + + /* Private key, dsa->priv_key */ + if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ dsa_priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!dsa_priv_key) { ++#else + dsa->priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa->priv_key) { ++#endif + goto error; + } + +@@ -730,10 +838,20 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) + goto error; + } + i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ dsa_pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); ++ if (!dsa_pub_key) { ++#else + dsa->pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa->pub_key) { ++#endif ++ goto error; ++ } ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ if (!(DSA_set0_key(dsa, dsa_pub_key, dsa_priv_key))) { + goto error; + } ++#endif + #endif /* splint */ + + LDNS_FREE(buf); +@@ -742,6 +860,13 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) + return dsa; + + error: ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BN_free(dsa_p); ++ BN_free(dsa_q); ++ BN_free(dsa_g); ++ BN_free(dsa_priv_key); ++ BN_free(dsa_pub_key); ++#endif + LDNS_FREE(d); + LDNS_FREE(buf); + DSA_free(dsa); +@@ -825,6 +950,9 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) + # ifdef USE_ECDSA + EC_KEY *ec = NULL; + # endif ++# if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BIGNUM *e = BN_new(); ++# endif + #else + int i; + uint16_t offset = 0; +@@ -842,8 +970,15 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) + case LDNS_SIGN_RSASHA256: + case LDNS_SIGN_RSASHA512: + #ifdef HAVE_SSL ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BN_set_word(e, RSA_F4); ++ r = RSA_new(); /* TODO: RSA_new() may fail */ ++ if (!BN_set_word(e, RSA_F4) || !RSA_generate_key_ex(r, (int)size, e, NULL)) { ++ BN_free(e); ++#else + r = RSA_generate_key((int)size, RSA_F4, NULL, NULL); + if(!r) { ++#endif + ldns_key_free(k); + return NULL; + } +@@ -858,8 +993,13 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) + case LDNS_SIGN_DSA: + case LDNS_SIGN_DSA_NSEC3: + #ifdef HAVE_SSL ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ d = DSA_new(); /* TODO: DSA_new() may fail */ ++ if (!DSA_generate_parameters_ex(d, (int)size, NULL, 0, NULL, NULL, NULL)) { ++#else + d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL); + if (!d) { ++#endif + ldns_key_free(k); + return NULL; + } +@@ -1289,6 +1429,18 @@ ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size) + return false; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ const BIGNUM *k_n; ++ const BIGNUM *k_e; ++ RSA_get0_key(k, &k_n, &k_e, NULL); ++ if (BN_num_bytes(k_e) <= 256) { ++ /* normally only this path is executed (small factors are ++ * more common ++ */ ++ data[0] = (unsigned char) BN_num_bytes(k_e); ++ i = BN_bn2bin(k_e, data + 1); ++ j = BN_bn2bin(k_n, data + i + 1); ++#else + if (BN_num_bytes(k->e) <= 256) { + /* normally only this path is executed (small factors are + * more common +@@ -1296,15 +1448,28 @@ ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size) + data[0] = (unsigned char) BN_num_bytes(k->e); + i = BN_bn2bin(k->e, data + 1); + j = BN_bn2bin(k->n, data + i + 1); ++#endif + *size = (uint16_t) i + j; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ } else if (BN_num_bytes(k_e) <= 65536) { ++#else + } else if (BN_num_bytes(k->e) <= 65536) { ++#endif + data[0] = 0; + /* BN_bn2bin does bigendian, _uint16 also */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k_e)); ++ ++ BN_bn2bin(k_e, data + 3); ++ BN_bn2bin(k_n, data + 4 + BN_num_bytes(k_e)); ++ *size = (uint16_t) BN_num_bytes(k_n) + 6; ++#else + ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k->e)); + + BN_bn2bin(k->e, data + 3); + BN_bn2bin(k->n, data + 4 + BN_num_bytes(k->e)); + *size = (uint16_t) BN_num_bytes(k->n) + 6; ++#endif + } else { + return false; + } +@@ -1322,7 +1487,17 @@ ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size) + } + + /* See RFC2536 */ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ const BIGNUM *k_p; ++ const BIGNUM *k_q; ++ const BIGNUM *k_g; ++ const BIGNUM *k_pub_key; ++ DSA_get0_pqg(k, &k_p, &k_q, &k_g); ++ DSA_get0_key(k, &k_pub_key, NULL); ++ *size = (uint16_t)BN_num_bytes(k_p); ++#else + *size = (uint16_t)BN_num_bytes(k->p); ++#endif + T = (*size - 64) / 8; + memcpy(data, &T, 1); + +@@ -1336,10 +1511,17 @@ ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size) + + /* size = 64 + (T * 8); */ + data[0] = (unsigned char)T; ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ BN_bn2bin(k_q, data + 1 ); /* 20 octects */ ++ BN_bn2bin(k_p, data + 21 ); /* offset octects */ ++ BN_bn2bin(k_g, data + 21 + *size); /* offset octets */ ++ BN_bn2bin(k_pub_key, data + 21 + *size + *size); /* offset octets */ ++#else + BN_bn2bin(k->q, data + 1 ); /* 20 octects */ + BN_bn2bin(k->p, data + 21 ); /* offset octects */ + BN_bn2bin(k->g, data + 21 + *size); /* offset octets */ + BN_bn2bin(k->pub_key, data + 21 + *size + *size); /* offset octets */ ++#endif + *size = 21 + (*size * 3); + return true; + } diff -Nru ldns-1.6.17/debian/patches/series ldns-1.6.17/debian/patches/series --- ldns-1.6.17/debian/patches/series 2016-06-28 11:14:55.000000000 +0000 +++ ldns-1.6.17/debian/patches/series 2016-10-27 14:53:07.000000000 +0000 @@ -7,3 +7,4 @@ 0007-Fix-perl-error-in-doxyparse.pl.patch 0008-Makefile.in-Don-t-pass-CPPFLAGS-to-swig-Closes-81123.patch 0009-Introduce-ldns_resolver_clone-needed-by-libnet-ldns-.patch +0010-experimental-support-openssl-1.1.x.patch